P
US9979704B2ActiveUtilityPatentIndex 52

End-to-end security for virtual private service chains

Assignee: CISCO TECH INCPriority: Dec 17, 2014Filed: Dec 17, 2014Granted: May 22, 2018
Est. expiryDec 17, 2034(~8.5 yrs left)· nominal 20-yr term from priority
Inventors:SHATZKAMER KEVIN DBOSCH HENDRIKUS G PWAINNER WARREN SCOTTGUICHARD JAMES NKUMAR SURENDRA M
G06F 21/606H04L 63/0428G06F 2009/45587G06F 9/45558G06F 2009/45595
52
PatentIndex Score
1
Cited by
12
References
24
Claims

Abstract

A first virtual machine is established in a virtual private service chain to provide a first network service to virtual private service chain traffic. A second virtual machine is also established the virtual private service chain to provide a second network service to the virtual private service chain traffic. The virtual private service chain traffic is encrypted for transmission within the virtual private service chain from the first virtual machine to the second virtual machine, wherein the encryption uses a key shared by the first and second virtual machines.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 establishing a first virtual machine in a virtual private service chain associated with a tenant to provide a first network service to virtual private service chain traffic, wherein the virtual private service chain is established within a service platform provided by a service provider hosting a plurality of virtual private service chains for a plurality of tenants; 
 establishing a second virtual machine in the virtual private service chain to provide a second network service to the virtual private service chain traffic; 
 receiving an encryption key from a key server arranged outside the service platform and maintained by the tenant; 
 encrypting the virtual private service chain traffic at the first virtual machine for transmission within the virtual private service chain from the first virtual machine to the second virtual machine using the encryption key, and 
 transmitting the traffic from the first virtual machine to the second virtual machine within the service platform. 
 
     
     
       2. The method of  claim 1 , wherein the traffic is decrypted at the second virtual machine for application of the second network service. 
     
     
       3. The method of  claim 2 , wherein the traffic is encrypted at a first virtual network interface card of the first virtual machine internal to the virtual private service chain, and the traffic is decrypted at a second virtual interface card of the second virtual machine internal to the virtual private service chain. 
     
     
       4. The method of  claim 1 , wherein the key server is a group controller key server. 
     
     
       5. The method of  claim 1 , wherein the encryption key is different from a key used to encrypt external traffic prior to the external traffic entering the virtual private service chain. 
     
     
       6. The method of  claim 1 , wherein the encryption is performed according to a Group Domain of Interpretation (GDOI) protocol. 
     
     
       7. The method of  claim 1 , further comprising:
 decrypting the virtual private service chain traffic at the second virtual machine; and 
 applying the second network service to the virtual private service chain traffic. 
 
     
     
       8. The method of  claim 1 , wherein establishing the second virtual machine comprises establishing the second virtual machine on a same physical network node on which the first virtual machine is established. 
     
     
       9. The method of  claim 1 , wherein establishing the second virtual machine comprises establishing the second virtual machine on a same virtual switch on which the first virtual machine is established. 
     
     
       10. The method of  claim 1 , wherein establishing the second virtual machine comprises establishing the second virtual machine on a physical network node that is different from a physical network node on which the first virtual machine is established. 
     
     
       11. A method comprising:
 retrieving an encryption key from a shared key server, wherein the retrieval of the encryption key is performed by a first virtual machine within a virtual private service chain associated with a tenant and is established within a service platform provided by a service provider hosting a plurality of virtual private service chains for a plurality of tenants, and wherein the shared key server is arranged outside the service platform and maintained by the tenant; 
 receiving, at the first virtual machine from a second virtual machine within the virtual private service chain, traffic encrypted with the encryption key; 
 decrypting the traffic using the encryption key; 
 applying network services to the decrypted traffic; 
 re-encrypting the decrypted traffic using the encryption key; and 
 transmitting the traffic through the virtual private service chain. 
 
     
     
       12. The method of  claim 11 , wherein the traffic is decrypted at an interface of the first virtual machine internal to the virtual private service chain. 
     
     
       13. The method of  claim 11 , wherein the key server provides the encryption key to the first virtual machine and second virtual machine. 
     
     
       14. The method of  claim 11 , wherein:
 the key server is a group controller key server. 
 
     
     
       15. The method of  claim 11 , wherein the encryption key is different from a key used to encrypt the virtual private service chain traffic prior to the virtual private service chain traffic entering the virtual private service chain. 
     
     
       16. The method of  claim 11 , wherein retrieving the encryption key comprises retrieving the encryption key according to a Group Domain of Interpretation (GDOI) protocol. 
     
     
       17. The method of  claim 11 , wherein the first virtual machine and the second virtual machine are established on a same physical network node. 
     
     
       18. An apparatus comprising:
 a network interface unit to enable communication over a network; and 
 a processor coupled to the network interface unit, that:
 establishes a first virtual machine within a virtual private service chain associated with a tenant to provide a first network service to virtual private service chain traffic, wherein the virtual private service chain is established within a service platform provided by a service provider hosting a plurality of virtual private service chains for a plurality of tenants; 
 retrieves via the first virtual machine an encryption key from a shared key server arranged outside the service platform and maintained by the tenant; 
 receives, from a second virtual machine within the virtual private service chain, traffic encrypted with the encryption key; 
 decrypts via the first virtual machine the traffic using the encryption key; 
 applies network services to the decrypted traffic via the first virtual machine; 
 re-encrypts the decrypted traffic using the encryption key via the first virtual machine; and 
 causes the traffic to be sent through the virtual private service chain. 
 
 
     
     
       19. The apparatus of  claim 18 , wherein the processor decrypts the traffic at an interface of the first virtual machine internal to the virtual private service chain. 
     
     
       20. The apparatus of  claim 18 , wherein the key server provides the encryption key to the first virtual machine and second virtual machine. 
     
     
       21. The apparatus of  claim 18 , wherein the processor retrieves the encryption key from a group controller key server. 
     
     
       22. The apparatus of  claim 18 , wherein the processor retrieves the encryption key that is different from a key used to encrypt external traffic prior to the external traffic entering the virtual private service chain. 
     
     
       23. The apparatus of  claim 18 , wherein the processor retrieves the encryption key according to a Group Domain of Interpretation (GDOI) protocol. 
     
     
       24. The apparatus of  claim 18 , wherein the first virtual machine and the second virtual machine are established on a same physical network node.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.